Researchers disclosed two high-severity Linux kernel vulnerabilities that allow untrusted users to escalate privileges to root. One flaw, named Januscape (CVE-2026-53359), affects KVM virtualization and enables guest virtual machines to escape containment and execute code on the host, while the other, GhostLock (CVE-2026-43499), is a use-after-free bug in the futex priority-inheritance code enabling local root escalation. Google awarded $250,000 and $92,337 through its bug bounty program for these vulnerabilities, which have now been patched in the Linux kernel.
Google Pays $250K for Linux Vulnerability Allowing Guest VM Escapes

